The phishing emails, as basic as they are, inform customers that they have an invoice worth thousands of dollars to pay, and the amount will be taken out of their accounts in the near future.
Based in College Point, NY, Restaurant Depot is a members-only wholesale cash & carry provider of goods to commercial food service entities including equipment, point of sale (PoS) systems, and refrigeration units.
As the case with phishing emails in general, the link to the 'invoice' is malicious and recipients of the messages, which make use of a spoofed Restaurant Depot email address, should not click the link or pay the email any heed.
An example of the phishing email forwarded to ZDNet is below, and included the spoofed Restaurant Depot firstname.lastname@example.org email address, the customer's trading name, and address (redacted):
Another example posted online demanded an invoice payment of $1924.04. Some customers have received more than one suspicious email.
On Twitter, one user said they had managed to get through to the company and that the wholesaler is aware of the email list compromise, adding "It's pretty big, the breach."
Update 7.19 BST: ZDNet requested comment from Restaurant Depot and received the following boilerplate statement:
"Thank you for contacting us regarding the email you received that appears to be from us indicating an invoice is due. That email is NOT from us. Please delete it without opening. Please be assured that we are taking steps to find the culprit and will do everything in our power to prevent this from happening in the future. Thank you as always for your business."
These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)